Page 1 of 1
Help with php sessions
Posted: Wed Aug 06, 2008 3:13 am
by autopdr
Hi Guys
I have only basic php skills and need some help with sessions (well I think I need sessions).
I am building a simple site for a client from which we are streaming pay per view presentations.
These will be purchased via Buy Now buttons with PayPal.
PayPal will redirect the buyer to a page with the presentation stream once payment is completed.
I therefore need to stop buyers from returning to this page or refreshing the page to view again.
So my goals are:
1. Allow the page to be viewed only if redirected from PayPal
2. Do not allow the page to be refreshed
3. Do not allow the page to be revisted via cached URL, bookmark, favourite, copy and pasting full URL into new window etc
4. If possible hide or mask the URL
I've had a search through the site but couldn't find anything close so any pointers, tutorials or snippets (with explanation for dummies) would be appreciated.
Re: Help with php sessions
Posted: Wed Aug 06, 2008 9:31 am
by ghurtado
What you want to do is deny access to the presentations to all users by default. Then you would have to "remember" that a user has paid to view a presentation (by setting a session variable or writing something to the database, or whatever method suits you best), so that they can actually see the presentation they just paid for.
As an aside, your client is going to have a lot of angry customers; I dont think anyone would like it if they accidentally clicked "refresh" on their browser (or their browser crashed, or a dozen other things that can go wrong) just to find out they can no longer view the presentation they just paid for.
Re: Help with php sessions
Posted: Wed Aug 06, 2008 10:45 am
by chaos
All of the measures you're talking about will 1) greatly anger ordinary users, 2) provide no impediment whatsoever to knowledgeable people who want to pirate your content (and who are likely, in fact, to be motivated to do so just to mock your attempt to lock it down).
The futility lies in the fact that all of what you're planning to do depends on the Web user agent behaving as if it were under your control rather than the user's. All security based on that thinking is trivially defeated.
Re: Help with php sessions
Posted: Wed Aug 06, 2008 11:39 am
by autopdr
Dear Chaos
I really do not see the point in responding to a post in that manner. Did you get out of the bed on the wrong side?
How about something helpful and constructive instead of the "hey get me! I'm so clever and can make you look stupid by slagging-off your ideas."
You also make too many assumptions as well.
a) You have no idea of the nature of the content.
b) The content source cannot be accessed or even discovered as it is buried in a database on a third-party server. It could be ripped using a screen capture programme but then so can eveerything.
b) There is no ordinary user. The user that will wish to pay to view the content will have been warned that this is pay-once view-once before they pay which makes it no different to watching any pay per view stream, and will have a whole lot more to worry about than getting their hackers kit out. But having said that "ghurtado" makes some important comments about crashing and other unforeseens that are both helpful and constructive.
So I suggest in future that unless you have anything useful to say in a helpful and constructive manner - you stay in bed.
Re: Help with php sessions
Posted: Wed Aug 06, 2008 12:23 pm
by chaos
Bonus points for trying to make me responsible for your emotional state, but if your ideas are poor, there's little I can do about the fact that pointing out what's wrong with them is likely to make you feel stupid.
So, let's address your points.
a) I know what you told me. If I needed to know more than that in order to provide useful feedback, guess whose fault it is that I lacked this information?
b) This is where it gets hard not to be brutal, but I'll try. Okay. Upon a completed payment, you are going to send the client browser instructions, in some form, on how to access this content. Because if it were, in fact, completely inaccessible, your paying users would never be able to view it. Correct? So, in one form or another, your content will be transmitted to the client browser in order to be viewed. Because the client is not under your control, it can do whatever it likes with that data. What you want is for it to display it, once, but you have no way of stopping it from saving it to disk instead. (You have ways of making it harder. Since you've said nothing about the video format or viewer software you're using, I don't know what's going on there.) Screen capture need not enter into it.
c) Whatever.
But sure. Let's be constructive and helpful, and hit your original points.
1) The way you phrase it sounds like you're going to be checking $_SERVER['HTTP_REFERER'] to see if it's the appropriate Paypal page. Since referer is whatever the browser decides it is, this would be the first trivial way to hack your system. In order to securely acknowledge a payment, you need to identify your user in some way (such as by a username/password based session authentication system; google 'php session'), send some kind of identifying token to Paypal when the user is sent there, and use Paypal's more advanced level of payment acknowledgement features (where they post payment information to a URL on your site when a transaction completes), matching up the identifying token from the Paypal postback with your user in order to determine that they've processed a payment.
2) Assuming you have your user identification mechanism, session-based or otherwise, described above, this is part of it. When the user's payment was processed, you presumably added 1 to the number of views they're allowed. In this part, you simply don't display the content unless that number of allowed views is over 0, and you subtract 1 from the number of views if the view was allowed.
3) You can advise the client browser not to cache the page using the cache-control directive (google 'cache-control'). The browser can do whatever it likes with your advisement, such as ignore it. You cannot prevent the URL from being recorded, favorited, bookmarked, etc. You can only prevent it from displaying the content again if the page is revisited, per 2).
4) You can hide the URL, very slightly (i.e. anyone who cares can still find out what it is) by displaying the content in a pop-up window that was generated without a location toolbar (google 'window.open'). Again, this depends on the browser cooperating with you.
Hope you're happy now. Have fun annoying your users.